Okay, as per the URL, all versions of ipsec-tools before version 0.2.5 had an issue with x.509 certificates. 0.2.4 was marked KEYWORDS='~x86 amd64'. THe changes from 0.2.4 to 0.2.5 are minimal, and i've talked to the amd64 people (lv) and he said it'd be okay to mark 0.2.5 stable for them. So i've commited 0.2.5 as ~x86 and amd64, and removed all vulnerable versions from portage. Could we please have a GLSA for this made up with all the info? Thanks guys!
looks good. consider it stable on amd64
Peter -- do you have any other information about this bug? (like, what it is?) Looking for a better description than a "nasty security bug"
There is a distinct lack of information about this vulnerability. Emailing one of the developers to request more information.
Received a (fast!) response from Michal Ludvig: "Hi, the problem is that racoon didn't verify digital signatures on Phase1 packets. It means that anybody holding the correct X.509 certificate, even without the corresponding private key (!!!), was able to set up a connection to the broken racoon or act as a man in the middle during the connection setup. Of course some other precautions must have been met as well: - the attacker must have got the certificate that the racoon would accept. - there might have been other restrictions on the gateway, e.g. fixed remote address, etc. Very likely a man-in-the-middle attack was perfectly possible with this bug. Success of other attacks depends on the gateway configuration. Technical description: Function crypto_openssl.c:eay_rsa_verify() contained this code: [...] evp = d2i_PUBKEY(NULL, &bp, pubkey->l); if (evp == NULL) return 0; [...] Calling d2i_PUBKEY() is not correct in this context so it always returned NULL and subsequently the whole function returned 0, which means success (bad typo). Solution is to obtain the public key 'evp' using a correct OpenSSL function (namely X509_get_pubkey() in our case) and return -1 if it failed. The bug was reported by Ralf Spennenberg and fixed by me in IPsec-tools 0.2.5 and 0.3rc5. Since today KAME racoon has my fix in the CVS as well. All older versions of IPsec-tools and KAME racoon since Sep 11 2001 are affected. "
GLSA 200404-05
*** Bug 47322 has been marked as a duplicate of this bug. ***
Created attachment 114801 [details] !!! ERROR: media-libs/libsdl-1.2.11 failed. !!! ERROR: media-libs/libsdl-1.2.11 failed. Call stack: ebuild.sh, line 1614: Called dyn_compile ebuild.sh, line 971: Called qa_call 'src_compile' environment, line 3612: Called src_compile libsdl-1.2.11.ebuild, line 159: Called die
